06.05.10

If you’ve paid even the slightest attention to tech news, you know Apple lost an iPhone prototype in a bar in the Bay Area. The finder sold it to Gizmodo for $5000, and Jason Chen of Gizmodo published a story with photos and details of it (and numerous followups) — a juicy tech story. More recently, San Mateo police, pursuant to a warrant, searched Jason Chen’s house, seizing numerous pieces of technology hardware. It thus becomes a juicy law story: trade secrets, protection of journalists’ sources, freedom of speech and the First Amendment, handling of lost or stolen property, lots of possible angles. In a number of them it approaches the clearly-defined boundaries of state and federal laws. Great popcorn fodder all around.

There are enough legal questions to satisfy anyone looking to argue them. There are correct answers and incorrect answers, but for a legal novice like me for whom the unknown unknowns are considerable, it’s far more productive to read others’ arguments than to hazard speculation. Also, some parts are matters of fact potentially for a jury to decide, further imperiling predictions.

Every so often, however, it’s possible to pass into realms where my knowledge is less patchy. One commentator, Peter Scheer of the First Amendment Coalition, thinks the police should have obtained a subpoena rather than a warrant, thereby according a journalist what one might claim is his due “delicacy”. Scheer closes an argument for this course of action by speculating as to why it was not taken:

Perhaps there is a more mundane explanation for the failure to use a subpoena in this case: The DA [district attorney] may have been under intense pressure (from whom? Apple, which reported the phone was stolen?) to act even before he could convene a grand jury to issue a subpoena.

If so, the DA may come to regret his haste: If a court rules he shouldn’t have used a warrant, the DA’s possession of evidence seized from Chen’s home may undermine any possible prosecution of other, more culpable, parties.

Assume arguendo that a court does indeed at some point rule the DA shouldn’t have used a warrant. Scheer then claims the seized evidence “may undermine any possible prosecution” of other parties (most likely referring to the original finder, as there is some question of whether the finder actually made a good-faith effort to return the iPhone prototype to its owner, potentially falling afoul of California law). Is this correct? The exclusionary rule forbids admissibility of evidence gained through unreasonable search or seizure in court, following straightforwardly from Weeks v. United States, 232 U. S. 383 (1914), and the Fourth Amendment. The exclusionary rule is then applicable to the states (and to local government such as San Mateo County) under Mapp v. Ohio, 367 U. S. 643 (1961). If case law stopped here it seems to me Scheer would be right — but it doesn’t. Prior to Mapp the Supreme Court held that:

In order to qualify as a “person aggrieved by an unlawful search and seizure,” [for whom evidence from an illegal search or seizure could be suppressed] one must have been a victim of a search or seizure, one against whom the search was directed, as distinguished from one who claims prejudice only through the use of evidence gathered as a consequence of a search or seizure directed at someone else.

It seems to me that, were the warrant declared invalid, evidence from the search would be suppressed in any potential prosecution of Jason Chen (and maybe Gizmodo — but in Alderman v. United States, 394 U. S. 165 (1968), the Court explicitly declined to apply the exclusionary rule with respect to evidence gained through illegal search of a “coconspirator”; Gizmodo or its other employees might or might not be such, maybe depending on whom a case targeted). However, I don’t see how evidence would be suppressed in the prosecution of anyone else — most particularly of the finder of the prototype.

The question for the la[w]zyweb: would evidence from Jason Chen’s computers, pursuant to an illegal search and seizure, be admissible in court against the original finder of the iPhone prototype? I think it would be admissible, and I think Peter Scheer is mistaken if he is suggesting that it wouldn’t.

Speculation’s fine, but as I already provide the less-educated kind I’d prefer if comments consisted of the more-educated kind. 🙂

28.12.08

Every so often (okay, ALL THE TIME) someone (Linux users, of course 🙂 ) wonders why Mozilla doesn’t use platform libraries for things like networking code. One commonly-argued reason is that it gives us the flexibility to fix security problems without waiting on those upstream libraries to make the fix themselves — we control the code, and we can make the fixes ourselves.

Another reason not to use platform libraries occurred to me while reading Planet WebKit today, specifically the recent WebKit’s week – #7 post. Quoting from that post, added emphasis mine:

An Internet Explorer extension (added in Firefox and Opera since) will soon be supported by WebKit based browsers. This restricts the access to certain cookies. They are only available for an HTTP request and so not from JavaScript. This is an important functionality to restrict the damages of an XSS vulnerability. This is not available in the nightlies because you need some updated Apple proprietary libraries (CFNetwork).

As noted, Firefox supports HTTPOnly cookies; after the patch to add this support was committed, you could download nightly builds which included the fix, and HTTPOnly would Just Work. No mess of upgrading platform libraries to make it happen, no separate-package updating, no waiting on Apple to update their platform libraries. (Incidentally, will Apple make those updates for 10.4 users as well, assuming they even decide to release a browser upgrade for a, er, “dying” OS release? Maybe, maybe not, who can say; “Apple does not comment on future products.”) Just download the build, build it from source yourself if you like building from source or if you’re a Gentoo ricer, and you have a working browser with the fix.

There are tradeoffs to be made rolling your own code when you could use something provided by the OS or by a third-party library. However, it should be equally clear that there are tradeoffs to be made going the other way, at least if you truly care about being cross-platform.